opennebula-4.12.1-nospoofevenwithnosgs.diff
| opennebula-4.12.1-nospoofevenwithnosgs/src/vnm_mad/remotes/lib/security_groups_iptables.rb 2015-12-21 16:02:56.170609334 -0600 | ||
|---|---|---|
| 247 | 247 |
# |
| 248 | 248 |
# IP spoofing |
| 249 | 249 |
# iptables -A one-3-0-o ! --source 10.0.0.1 -j DROP |
| 250 |
def self.nic_pre(vm, nic) |
|
| 250 |
def self.nic_pre(vm, nic, antiSpoofingOnly)
|
|
| 251 | 251 |
commands = VNMNetwork::Commands.new |
| 252 | 252 | |
| 253 | 253 |
vars = SGIPTables.vars(vm, nic) |
| ... | ... | |
| 275 | 275 |
end |
| 276 | 276 | |
| 277 | 277 |
# Related, Established |
| 278 |
commands.add :iptables, "-A #{chain_in} -m state --state ESTABLISHED,RELATED -j ACCEPT"
|
|
| 279 |
commands.add :iptables, "-A #{chain_out} -m state --state ESTABLISHED,RELATED -j ACCEPT"
|
|
| 278 |
if !antiSpoofingOnly |
|
| 279 |
commands.add :iptables, "-A #{chain_in} -m state --state ESTABLISHED,RELATED -j ACCEPT"
|
|
| 280 |
commands.add :iptables, "-A #{chain_out} -m state --state ESTABLISHED,RELATED -j ACCEPT"
|
|
| 281 |
end |
|
| 280 | 282 | |
| 281 | 283 |
commands.run! |
| 282 | 284 |
end |
| ... | ... | |
| 284 | 286 |
# Sets the default policy to DROP for the NIC rules. Example |
| 285 | 287 |
# iptables -A one-3-0-i -j DROP |
| 286 | 288 |
# iptables -A one-3-0-o -j DROP |
| 287 |
def self.nic_post(vm, nic) |
|
| 289 |
def self.nic_post(vm, nic, antiSpoofingOnly)
|
|
| 288 | 290 |
vars = SGIPTables.vars(vm, nic) |
| 289 | 291 |
chain_in = vars[:chain_in] |
| 290 | 292 |
chain_out = vars[:chain_out] |
| 291 | 293 | |
| 292 | 294 |
commands = VNMNetwork::Commands.new |
| 293 |
commands.add :iptables, "-A #{chain_in} -j DROP"
|
|
| 294 |
commands.add :iptables, "-A #{chain_out} -j DROP"
|
|
| 295 |
if !antiSpoofingOnly |
|
| 296 |
commands.add :iptables, "-A #{chain_in} -j DROP"
|
|
| 297 |
commands.add :iptables, "-A #{chain_out} -j DROP"
|
|
| 298 |
end |
|
| 295 | 299 | |
| 296 | 300 |
commands.run! |
| 297 | 301 |
end |
| ... | ... | |
| 338 | 342 |
end |
| 339 | 343 |
end |
| 340 | 344 | |
| 341 |
end |
|
| 345 |
end |
|
| opennebula-4.12.1-nospoofevenwithnosgs/src/vnm_mad/remotes/lib/sg_driver.rb 2015-12-21 16:01:43.267614278 -0600 | ||
|---|---|---|
| 59 | 59 | |
| 60 | 60 |
# Process the rules |
| 61 | 61 |
@vm.nics.each do |nic| |
| 62 |
next if nic[:security_groups].nil? |
|
| 62 |
if nic[:security_groups].nil? |
|
| 63 |
# If there are no security groups, just add antispoofing rules |
|
| 64 |
nic[:security_groups] = "" |
|
| 65 | ||
| 66 |
antiSpoofingOnly = true |
|
| 67 |
else |
|
| 68 |
antiSpoofingOnly = false |
|
| 69 |
end |
|
| 63 | 70 | |
| 64 |
SGIPTables.nic_pre(@vm, nic) |
|
| 71 |
SGIPTables.nic_pre(@vm, nic, antiSpoofingOnly)
|
|
| 65 | 72 | |
| 66 | 73 |
sg_ids = nic[:security_groups].split(",")
|
| 67 | 74 | |
| ... | ... | |
| 81 | 88 |
end |
| 82 | 89 |
end |
| 83 | 90 | |
| 84 |
SGIPTables.nic_post(@vm, nic) |
|
| 91 |
SGIPTables.nic_post(@vm, nic, antiSpoofingOnly)
|
|
| 85 | 92 |
end |
| 86 | 93 | |
| 87 | 94 |
unlock |